Thursday, January 28, 2010


A new spam study

According to the lede in a New Scientist article from Monday:

Spammers’ own trickery has been used to develop an “effectively perfect” method for blocking the most common kind of spam, a team of computer scientists claims.

The team turned one of their computers into a zombie, but, well, not quite: they were still in control of it, even while it was part of its botnet. And while it followed the orders of the botnet controller, the researchers recorded and analyzed what was going on.

In particular, they looked at the variations in the messages, and used that to form a profile of the spam the botnet was generating:

After analysing 1000 emails generated by this compromised machine — less than 10 minutes’ work for most bots — the researchers were able to reverse-engineer the template. Knowledge of that template then enabled filters to block further spam from that bot with 100 per cent accuracy.

High accuracy can be achieved by existing spam filters, but sometimes at the cost of blocking legitimate mail. The new system did not produce a single false positive when tested against more than a million genuine messages, says Andreas Pitsillidis, one of the team: “The biggest advantage is this false positive rate.”

How useful is this?

Not very. It’s interesting as a case study — and I’d like to see the paper that came out of this work. But it has little practical value. First, as Michael O’Reirdan points out in the article, even if we can stop a spam run one minute in, much less ten, the botnet would have sent out millions of messages already.

Second, for this to be of more than passing interest, we’d have to make sure the people using it had machines on every spam botnet out there, or at least most of them.

Third, smart botnet software can get around this mechanism by changing its template every couple of minutes, and can even learn to detect the spy machine and isolate it from the botnet. In the worst case, it might even be able to feed the spy bad information that could result in the blocking of legitimate mail — just the opposite of the zero false-positive rate the researchers are so happy with.

Finally, it’s not really a surprising result, that infiltrating a botnet allows us to figure out how it works and to temporarily interfere with its operation. But botnet software changes rapidly, and we have to keep learning as it changes.

I like the idea of using this to investigate and experiment with botnets. But let’s keep our expectations realistic. This, as everything else that anyone’s proposed, is not the Final Ultimate Solution to the Spam Problem.

No comments: